{\rtf1\ansi\ansicpg1252\cocoartf1038\cocoasubrtf350
{\fonttbl\f0\fswiss\fcharset0 ArialMT;\f1\froman\fcharset0 TimesNewRomanPSMT;\f2\fmodern\fcharset0 CourierNewPSMT;
\f3\fmodern\fcharset0 Courier;\f4\fnil\fcharset0 LucidaGrande;\f5\fmodern\fcharset0 Courier-Bold;
}
{\colortbl;\red255\green255\blue255;}
{\*\listtable{\list\listtemplateid1\listhybrid{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{disc\}}{\leveltext\leveltemplateid1\'01\uc0\u8226 ;}{\levelnumbers;}\fi-360\li720\lin720 }{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{disc\}}{\leveltext\leveltemplateid2\'01\uc0\u8226 ;}{\levelnumbers;}\fi-360\li1440\lin1440 }{\listname ;}\listid1}
{\list\listtemplateid2\listhybrid{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{disc\}}{\leveltext\leveltemplateid101\'01\uc0\u8226 ;}{\levelnumbers;}\fi-360\li720\lin720 }{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{disc\}}{\leveltext\leveltemplateid102\'01\uc0\u8226 ;}{\levelnumbers;}\fi-360\li1440\lin1440 }{\listname ;}\listid2}
{\list\listtemplateid3\listhybrid{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{disc\}}{\leveltext\leveltemplateid201\'01\uc0\u8226 ;}{\levelnumbers;}\fi-360\li720\lin720 }{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{disc\}}{\leveltext\leveltemplateid202\'01\uc0\u8226 ;}{\levelnumbers;}\fi-360\li1440\lin1440 }{\listname ;}\listid3}
{\list\listtemplateid4\listhybrid{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{disc\}}{\leveltext\leveltemplateid301\'01\uc0\u8226 ;}{\levelnumbers;}\fi-360\li720\lin720 }{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{disc\}}{\leveltext\leveltemplateid302\'01\uc0\u8226 ;}{\levelnumbers;}\fi-360\li1440\lin1440 }{\listname ;}\listid4}
{\list\listtemplateid5\listhybrid{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{disc\}}{\leveltext\leveltemplateid401\'01\uc0\u8226 ;}{\levelnumbers;}\fi-360\li720\lin720 }{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{disc\}}{\leveltext\leveltemplateid402\'01\uc0\u8226 ;}{\levelnumbers;}\fi-360\li1440\lin1440 }{\listname ;}\listid5}
{\list\listtemplateid6\listhybrid{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{disc\}}{\leveltext\leveltemplateid501\'01\uc0\u8226 ;}{\levelnumbers;}\fi-360\li720\lin720 }{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{disc\}}{\leveltext\leveltemplateid502\'01\uc0\u8226 ;}{\levelnumbers;}\fi-360\li1440\lin1440 }{\listname ;}\listid6}
{\list\listtemplateid7\listhybrid{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{disc\}}{\leveltext\leveltemplateid601\'01\uc0\u8226 ;}{\levelnumbers;}\fi-360\li720\lin720 }{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace360\levelindent0{\*\levelmarker \{disc\}}{\leveltext\leveltemplateid602\'01\uc0\u8226 ;}{\levelnumbers;}\fi-360\li1440\lin1440 }{\listname ;}\listid7}}
{\*\listoverridetable{\listoverride\listid1\listoverridecount0\ls1}{\listoverride\listid2\listoverridecount0\ls2}{\listoverride\listid3\listoverridecount0\ls3}{\listoverride\listid4\listoverridecount0\ls4}{\listoverride\listid5\listoverridecount0\ls5}{\listoverride\listid6\listoverridecount0\ls6}{\listoverride\listid7\listoverridecount0\ls7}}
{\info
{\author Sherwin F}}\margl1440\margr1440\vieww12240\viewh15400\viewkind1
\deftab720
\pard\pardeftab720\ri0

\f0\b\fs36 \cf0 Eventlog to Syslog v4.4
\f1\b0 \
\pard\pardeftab720\ri0

\f0\fs24 \cf0 Release 4.4
\f1 \

\f0 Last revised Nov 24, 2010
\f1 \
\

\f0 This product includes software developed by Purdue University.\
\pard\pardeftab720\ri0

\f1\fs28 \cf0 \
\pard\pardeftab720\ri0

\f0\fs24 \cf0 The Eventlog to Syslog utility is a windows service originally created by Curtis Smith at Purdue University. The original utility and source code can be found at the following website: https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/\
\
Version 4 was modified by Sherwin Faria in July, 2009, in order to meet the needs of Rochester Institute of Technology.\
\
This update of the Eventlog to Syslog client builds upon the original code by offering several bug fixes and some additional features.\
\pard\pardeftab720\ri0

\f1 \cf0 \
\
\pard\pardeftab720\ri0

\f0 \cf0 Changes in v4.4:\
\pard\pardeftab720\li1080\fi-360\ri0
\ls1\ilvl1\cf0 \'95	Finally added the ability to send only specified events\
\'95	Set Audit Failures to show as Error instead of Notice on Vista/2k8+\
\'95	Allow user to specify the minimum severity to process\
\'95	Added registry keys to configure the minimum severity and mode\
\'95	The keys are 
\f2 LogLevel
\f0  and 
\f2 IncludeOnly
\f0 . Both DWORD values where 0 is disabled. See readme for additional details.\
\pard\pardeftab720\ri0

\f1 \cf0 \
\
\pard\pardeftab720\ri0

\f0 \cf0 Send all comments, questions, bug reports, and requests to:\
\
Sherwin Faria\
Rochester Institute of Technology\
Information & Technology Services, Bldg. 10\
1 Lomb Memorial Drive\
Rochester, NY 14623, U.S.A.\
sherwin.faria@gmail.com
\f1 \
\
\pard\pardeftab720\ri0\sb240\sa60

\b\fs32 \cf0 \page \pard\pardeftab720\ri0\sb240\sa60

\f0 \cf0 TABLE OF CONTENTS\
\pard\tx720\pardeftab720\li720\fi-360\ri0\sa60

\fs24 \cf0 1)	Usage\
\pard\pardeftab720\li720\fi-360\ri0\sa60
\cf0 2)	Installing the Service\
3)	Uninstalling the Service\
4)	Debug Mode\
5)	Specifying Log Hosts\
6)	Specifying Syslog Facility\
7)	Appendix (Includes Changelog)
\f1\fs28 \
\pard\pardeftab720\ri0\sb240\sa60

\f0 \cf0 1.  Usage:\
\pard\pardeftab720\li720\ri0

\f1\b0\fs24 \cf0 \
\pard\pardeftab720\li720\ri0\sb120

\f3\fs20 \cf0 Version: 4.4 (32-bit)\
\pard\pardeftab720\li720\ri-720
\cf0 Usage: evtsys.exe -i|-u|-d [-h host] [-b host] [-f facility] [-p port]\
       [-s minutes] [-l level] [-n]\
\pard\pardeftab720\li720\ri0
\cf0   -i           Install service\
  -u           Uninstall service\
  -d           Debug: run as console program\
  -h host      Name of log host\
  -b host      Name of secondary log host (optional)\
  -f facility  Facility level of syslog message\
  -l level     Minimum level to send to syslog.\\n", stderr);\
		   0=All/Verbose, 1=Critical, 2=Error, 3=Warning, 4=Info\
  -n           Include only those events specified in the config file.\
  -p port      Port number of syslogd\
\pard\pardeftab720\li720\ri-180
\cf0   -q bool      Query the Dhcp server to obtain the syslog/port to log to\
\pard\pardeftab720\li720\ri0
\cf0                (0/1 = disable/enable)\
  -s minutes   Optional interval between status messages. 0 = Disabled\
\
Default port: 514\
Default facility: daemon\
Default status interval: 0\
Host (-h) required if installing.\
\pard\pardeftab720\ri0

\f1\fs24 \cf0 \
\pard\pardeftab720\ri0\sb240

\f0\b\fs28 \cf0 2. Installing the Service\
\pard\pardeftab720\ri0

\b0\fs24 \cf0 The Service installs eight registry values in 
\b HKLM\\SOFTWARE\\ECN\\EvtSys\\3.0\
\pard\pardeftab720\fi720\ri0

\b0 \cf0 Facility		(DWORD)	Default: 3\
IncludeOnly		(DWORD)	Default: 0\
LogHost		(String)	Default: N/A\
LogHost2		(String)	Default: <empty>\
LogLevel		(DWORD)	Default: 0\
Port			(DWORD)	Default: 514\
QueryDhcp		(DWORD)	Default: 0\
StatusInterval	(DWORD)	Default: 0\
\pard\pardeftab720\ri0

\f1 \cf0 \
\pard\pardeftab720\ri0

\f0 \cf0 If no secondary host is specified LogHost2 is blank.\
It also registers itself as a service under the name evtsys and displays in services.msc as \'93Eventlog to Syslog\'94.\
\
The program must be installed from the command line and must be located in C:\\Windows\\System32\
After you have run evtsys.exe with the 
\i -i
\i0  switch and specified a loghost you can then type 
\i net start evtsys
\i0  to start the service.\
To start or stop the service from the command line type: 
\i\b net start evtsys
\i0\b0     or    
\i\b net stop evtsys\

\i0\b0 Alternatively you can start the service from the Services control panel in Administrative Tools. Look for "Eventlog to Syslog".\
\pard\pardeftab720\ri0

\f1 \cf0 \
\pard\pardeftab720\li720\ri0\sb240\sa60

\f0\b\fs26 \cf0 2.1. Using a DHCP Option\
\pard\pardeftab720\li720\ri0

\b0\fs24 \cf0 The DHCP option is called 
\i EventToSyslogDhcpOption
\i0 . It is in the format x.x.x.x\
\
\pard\pardeftab720\li720\ri0

\b \cf0 Notes: (Courtesy of Damien)
\f1 \
\pard\pardeftab720\li720\ri0

\f0\b0 \cf0 Microsoft Windows has a big problem with non-standard DHCP option which need us to "install" a "persistent DHCP request" in order to be able to retrieve it...\
\
I have seen some windows still not being able to get us the standard options without using a persistent request, so activating this branch of code will do the trick, just notice that in order to work, the system will only work after the second boot, because as said in MSDN docs, the persistent request is only done at boot time, so the first registers the request, the second boot does it.\
\
In the sake of being completely documented, knowing where to look in case things go wrong:\
\
HKLM\\System\\CurrentControlSet\\Services\\Dhcp\\Parameters:\
the GUID keys are the GUID of the network adapters, and the values are simply the DHCP packets, so look into those values, and you will read the options as passed by the DHCP server (you will recognize the options windows say it knows nothing about.. but here they are).\
\
HKLM\\System\\CurrentControlSet\\Services\\Dhcp\\Parameters\\Options:\
lists the "options" windows know about, kind of factory defaults. Unusable for us, but it is here that you will see new keys appear when you activate the "persistent request" mechanism.
\f1 \
\pard\pardeftab720\ri0
\cf0 \
\pard\pardeftab720\ri0\sb240

\f0\b\fs28 \cf0 3. Uninstalling\
\pard\pardeftab720\ri0

\b0\fs24 \cf0 Uninstalling the service will delete the registry keys created during installation and unregister the Eventlog to Syslog service. All files will remain in their current location.\
\
\pard\pardeftab720\ri0\sb240\sa60

\b\fs28 \cf0 4. Debug Mode\
\pard\pardeftab720\ri0

\b0\fs24 \cf0 Debug mode provides additional information on the operation of the service.\
The following information is displayed while in debug mode:\
\pard\pardeftab720\li1080\fi-360\ri0
\ls2\ilvl1\cf0 \'95	The source and ID of an ignored event\
\'95	All error messages\
\pard\pardeftab720\ri0

\f1 \cf0 \
\pard\pardeftab720\ri0\sb240\sa60

\f0\b\fs28 \cf0 5. Specifying Log Hosts\
\pard\pardeftab720\ri0

\b0\fs24 \cf0 Use command line switches 
\i \'96h
\i0  and 
\i \'96b
\i0  to specify your primary and secondary Syslog servers. The 
\i \'96b
\i0  switch is optional, but 
\i \'96h
\i0  is required when installing the agent. \
\
You may specify either the hostname or IP address of a host. The utility will convert the hostname into an IP address and store that address into the registry.\
\
\pard\pardeftab720\ri0\sb240\sa60

\b\fs28 \cf0 6. Specifying Facility\
\pard\pardeftab720\ri0

\b0\fs24 \cf0 The Syslog protocol specifies 24 facilities:\
\pard\pardeftab720\li720\ri0
\cf0   0 kernel messages\
  1 user-level messages\
  2 mail system\
  3 system daemons\
  4 security/authorization messages\
  5 messages generated internally by syslogd\
  6 line printer subsystem\
  7 network news subsystem\
  8 UUCP subsystem\
  9 clock daemon\
10 security/authorization messages\
11 FTP daemon\
12 NTP subsystem\
13 log audit\
14 log alert\
15 clock daemon\
16 local use 0 (local0)\
17 local use 1 (local1)\
18 local use 2 (local2)\
19 local use 3 (local3)\
20 local use 4 (local4)\
21 local use 5 (local5)\
22 local use 6 (local6)\
23 local use 7 (local7)\
\pard\pardeftab720\ri0

\f1 \cf0 \
\pard\pardeftab720\ri0

\f0 \cf0 By default the \'93Eventlog to Syslog\'94 service logs to facility 3, system daemon, but it can be configured to log to whatever facility you specify using the 
\i \'96f 
\i0 switch.\
\
\pard\pardeftab720\ri0\sb240\sa60

\b\fs28 \cf0 7. Appendix\
\pard\pardeftab720\li360\ri0

\fs24 \cf0 7.1 The Configuration File\
\pard\pardeftab720\li360\ri0

\b0 \cf0 If no configuration file is found a default configuration file is generated with the following contents:\
\pard\pardeftab720\li360\ri0

\f1 \cf0 \
\pard\pardeftab720\li360\ri0

\f3\fs20 \cf0 '!!!!THIS FILE IS REQUIRED FOR THE SERVICE TO FUNCTION!!!!\
'\
'Comments must start with an apostrophe and\
'must be the only thing on that line.\
'\
'Do not combine comments and definitions on the same line!\
'\
'Format is as follows - EventSource:EventID\
'Use * as a wildcard to ignore all ID's from a given source\
'E.g. Security-Auditing:*\
'\
'In Vista/2k8 and upwards remove the 'Microsoft-Windows-' prefix\
'**********************:**************************\
\pard\pardeftab720\li360\ri0

\f0\b\fs24 \cf0 Note:\
\pard\pardeftab720\li360\ri0

\b0 \cf0 In Vista/Server 2008 and onward certain Microsoft specific publishers have a 
\i Microsoft-Windows- 
\i0 prefix attached to them. The \'93Eventlog to Syslog\'94 utility strips this prefix in order to save space in the sent message. If you want to ignore one of these events then be sure to remove the prefix when you specify it in the configuration file.\
\
\pard\pardeftab720\li360\ri0

\b \cf0 7.2 The Status File (Obsolete)
\f1 \
\pard\pardeftab720\li360\ri0

\f0\b0 \cf0 The status file is updated by the agent approximately every two minutes. The agent places a single line in the file in the following format:\
\pard\pardeftab720\li360\ri0

\i \cf0 Mmm dd hh:mm:ss - Eventlog to Syslog Service Running
\f1\i0 \
\pard\pardeftab720\li360\ri0

\f0 \cf0 You may delete this file at any time and the agent will recreate it at the next interval.
\f1 \
\
\pard\pardeftab720\li360\ri0

\f0\b \cf0 7.3 Minimum Log Level/Severity\
\pard\pardeftab720\li360\ri0

\b0 \cf0 The LogLevel registry key limits the events that are processed by the utility. Only logs with a severity less than or equal to the set level will be processed. The severity ratings are as follows:\
\
\pard\pardeftab720\li360\ri0

\b \cf0 Type		Pre-2k8	Vista/2k8+\
\pard\pardeftab720\li360\ri0

\b0 \cf0 CRITICAL	N/A		1\
ERROR		1 or 2		2\
WARNING	3		3\
INFORMATION	4		4\
AUDIT/ALL	0		0\
\
Note: Since a CRITICAL severity is not available on systems prior to Vista/2k8, Level 1 is mapped to error, which is 2.
\f1 \
\
\pard\pardeftab720\li360\ri0

\f0\b \cf0 7.4 The IncludeOnly Flag
\f1 \
\pard\pardeftab720\li360\ri0

\f0\b0 \cf0 By setting the include only flag you cause the service to treat the contents of the configuration file as allowed events. Any events NOT specified in the file will be ignored. When the flag is false, any events that ARE specified in the file are ignored.
\f1 \
\
\pard\pardeftab720\li360\ri0\sa200

\f0\b \cf0 7.5 Miscellaneous\
\pard\pardeftab720\li720\ri0
\cf0 7.5
\f1 .
\f0 1 Maximum message size\
\pard\pardeftab720\li720\ri0

\b0 \cf0 The maximum size of a Syslog message is defined as 1024 bytes. Anything beyond this threshold is truncated.\
\
\pard\pardeftab720\li720\ri0

\b \cf0 7.5.2 Polling interval\
\pard\pardeftab720\li720\ri0

\b0 \cf0 The \'93Eventlog to Syslog\'94 service polls for messages every 5 seconds.\
\
\pard\pardeftab720\li720\ri0

\b \cf0 7.5.3 Timestamps\
\pard\pardeftab720\li720\ri0

\b0 \cf0 Event timestamps are captured from the event itself.\
The agent generates its own timestamps for error and informational messages.\
\pard\pardeftab720\li720\ri0

\f1 \cf0 \
\pard\pardeftab720\li360\ri0\sa200

\f0\b \cf0 7.6 Compiling
\f4 \uc0\u8232 
\f0\b0 Compiling the service requires Microsoft Visual Studio. I use 2008, but earlier versions should also work.
\f1 \
\pard\pardeftab720\li360\ri0

\f0 \cf0 You can change the type of compile you are doing using the vcvarsall.bat script. Details can be found at this site: http://msdn.microsoft.com/en-us/library/x4d2c09s(VS.80).aspx 
\f1 \
\pard\pardeftab720\li720\fi-360\ri0\sa200

\f0 \cf0 1.	Open the appropriate Visual Studio Command Prompt in (There may be 32Bit and 64Bit shortcuts)
\f4 \uc0\u8232 
\f0 Start>Programs>Visual Studio 200x>Visual Studio Tools\
2.	Navigate to the directory containing the source files\
3.	Type 
\f5\b nmake
\f1\b0 \

\f0 4.	Wait for the task to complete. All you will need is evtsys.exe and evtsys.dll. There is also an evtsys.pdb file created for debugging if you choose to keep it.
\f1 \

\f0 5.	Once completed you can type 
\f5\b nmake clean
\f0\b0  to delete all created files, but be sure to move evtsys.exe and evtsys.dll first as those will also be deleted.\
\pard\pardeftab720\li360\ri0

\b \cf0 7.7
\f1 	
\f0 Changelog
\f1 \
\
\pard\pardeftab720\li360\ri0

\f0\b0 \cf0 Changes in v4.4:\
\pard\pardeftab720\li1080\fi-360\ri0
\ls3\ilvl1\cf0 \'95	Finally added the ability to send only specified events\
\'95	Set Audit Failures to show as Error instead of Notice on Vista/2k8+\
\'95	Allow user to specify the minimum severity to process\
\'95	Added registry keys to configure the minimum severity and mode
\f4 \uc0\u8232 
\f0 The keys are LogLevel and IncludeOnly. Both DWORD values where 0 is disabled. See readme for additional details.\
\pard\pardeftab720\ri0

\f1\b \cf0 \
\pard\pardeftab720\li360\ri0

\f0\b0 \cf0 Changes in v4.3.1:\
\pard\pardeftab720\li1080\fi-360\ri0
\ls4\ilvl1\cf0 \'95	Bugfix: Fixed bug where hostnames on Server 2003 and earlier were getting an extra leading space.\
\pard\pardeftab720\fi360\ri0

\f1 \cf0 \
\pard\pardeftab720\fi360\ri0

\f0 \cf0 Changes in v4.3:\
\pard\pardeftab720\li1080\fi-360\ri0
\ls5\ilvl1\cf0 \'95	Fixed a crash dealing with ignored events (Thanks to Pavel)\
\'95	Wildcards now work in the config file for event IDs. So to ignore all events from a given source, the format would be: SourceName:*\
\'95	Got rid of the evtsys.stat file. Sends the message to the Syslog server instead\
\'95	Added a registry key to control if and when the status message is sent.
\f4 \uc0\u8232 
\f0 The key is called StatusInterval with type DWORD and you specify a time in minutes. 0 means disabled.\
\pard\pardeftab720\li360\ri0

\f1\b \cf0 \
\pard\pardeftab720\li360\ri0

\f0\b0 \cf0 Changes in v4.2:\
\pard\pardeftab720\li1080\fi-360\ri0
\ls6\ilvl1\cf0 \'95	Thanks to Damien Mascre for his help with this update (UTF-8 and DHCP)\
\'95	Added UTF-8 support, so messages are now sent using UTF-8 encoding
\f4 \uc0\u8232 
\f0 Note: Tested using Syslog Watch Personal. Had to force UTF-8 codepage\
\'95	Added hostname immediately after timestamp to comply with RFC-3164\
\'95	Added ability to use a DHCP option to set syslog server (by Damien)\
\'95	Removed spaces from event source (tag) field in sent message\
\pard\pardeftab720\li360\ri0

\f1 \cf0 \
\pard\pardeftab720\li360\ri0

\f0 \cf0 Changes in v4.0:\
\pard\pardeftab720\li1080\fi-360\ri0
\ls7\ilvl1\cf0 \'95	Added ability to ignore specific events\
\'95	Added a status file for monitoring service operation\
\'95	Added event\'92s timestamp to outgoing messages\
\'95	Added compatibility with the Vista/Server 2008 Windows Events service\
\'95	Added ability to send to two Syslog servers simultaneously\
\'95	Fixed a possible memory exception with bad message definitions\
\'95	Fixed a bug where utility would not search all message files
\f1 \
}